How do I change a password that's hashed and salted in MVC 5?

Question

0.00/5 (No votes)

See more:

SQL-Server-2014

Hi,

I'm creating a Homepage for a website and I've stumbled in a small feature.

So I'm using a database (SQL) to save my users.
I'm throwing some alt and hashing their passwords but then my problem comes.

If the user attempts to change his password,
I ask him to insert his older password, his new and confirm his new.

Yet since the passwords are hashed and salted they don't match and my stored procedure in SQL returns -2.

ALTER PROCEDURE [dbo].[spChangePassword]
(
        @sUsername varchar(50),
	@sPasswordNew varchar(100),
	@sPasswordNewSalt varchar (128),
	@sPasswordNew varchar (100),
	@sPasswordNewSalt varchar (128),
)
AS
BEGIN
	SET NOCOUNT ON;
	
    if (exists (select 1
                from USERS
	        where Username = @sUsername 
                and Password = @sPasswordOld))
				
    begin
		if (exists (select 1
					from USERS
					where Username = @sUsername
					and Password != @sPasswordNew))

			begin
				select 1;
				 
				update BLC_USER
				set Password = @sPasswordNova,
				Password_Salt = @sPasswordNewSalt,
				where Username = @sUsername;
			end	

		 else
				select -1; -- New Pass = Old Pass, please chnage
	end
	else
		select -2; -- Old Pass is wrong
END

Am I doing something wrong in regards to the hashing passwords?
How can I compare two salted passwords?

Cheers,
Zamuk

Posted 13-Oct-14 8:55am

Zamuk

Add a Solution

Comments

Kornfeld Eliyahu Peter 13-Oct-14 14:57pm

How do you check an existing password upon login?

[no name] 13-Oct-14 14:59pm

http://www.codeproject.com/Questions/828839/How-to-change-password-from-database?arn=0

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

ZurdoDev · Accepted Answer · 2014-10-13T09:18:00

When a user first sets their password you hash the password through C# and then store that value in the database.

When they want to change the password, you hash in C# the value they put in for current password and then you read the hash from sql and compare the hash values to see if they are the same.